Getting Data In

How to troubleshoot why my universal forwarder is not phoning home?

w0lverineNOP
Path Finder

I installed my universal forwarder on an Ubuntu server. I have successfully established a connection to my Splunk Enterprise server (netstat). And as I continue pinging my Splunk server from my universal Forwarder, I still get nothing.

Source: https://www.youtube.com/watch?v=ioGKxQTdp9k

How can I successfully use my universal forwarder?

1 Solution

aljohnson_splun
Splunk Employee
Splunk Employee

Is listening enabled on the indexer?

demo@Indexer bin]$ ./splunk display listen
Receiving is enabled on port 9997.

Is the deployment client (forwarder) configured?

demo@Forwarder bin]$ ./splunk show deploy-poll
Deployment Server URI is set to "10.0.0.201:8089"

Is forwarding setup on the forwarder?

demo@Forwarder bin]$ ./splunk list forward-server
Active forwards:
    10.0.0.200:9997
Configured but inactive forwards:
    None

What is the forwarder's splunk hostname?

demo@Forwarder bin]$ ./splunk show servername
Server name: engdev00
demo@Forwarder bin]$ ./splunk show default-hostname
Default hostname for data inputs: engdev00.

Are events coming into the _internal index on the forwarder?

index=_internal host=engdev00

If they are, then, you are are ready to start defining some inputs.

View solution in original post

jplumsdaine22
Influencer

I was 99% sure you were going to rickroll Splunk Answers

somesoni2
Revered Legend

First, it was really nice that you uploaded the video. Most of the time we don't know exactly what's going on but that is really helpful.
Second, I can see the data is coming from TA-Linux apps, but can you check if the data is going to right index? You enabled the same inputs in your indexer and can see that in Splunk App for Unix, but check the index that Indexer is storing the data and what UF is sending data to.

aljohnson_splun
Splunk Employee
Splunk Employee

Is listening enabled on the indexer?

demo@Indexer bin]$ ./splunk display listen
Receiving is enabled on port 9997.

Is the deployment client (forwarder) configured?

demo@Forwarder bin]$ ./splunk show deploy-poll
Deployment Server URI is set to "10.0.0.201:8089"

Is forwarding setup on the forwarder?

demo@Forwarder bin]$ ./splunk list forward-server
Active forwards:
    10.0.0.200:9997
Configured but inactive forwards:
    None

What is the forwarder's splunk hostname?

demo@Forwarder bin]$ ./splunk show servername
Server name: engdev00
demo@Forwarder bin]$ ./splunk show default-hostname
Default hostname for data inputs: engdev00.

Are events coming into the _internal index on the forwarder?

index=_internal host=engdev00

If they are, then, you are are ready to start defining some inputs.

View solution in original post

jbrocks
Communicator

Hi everybody. I know the post ist two years old, but I am having similar problems. For me all the steps above are correctly working and I am seeing events from my forwarder in the _internal index. But somehow the forwarder does not show up in "Forwarder management"? Any suggestions?

0 Karma

w0lverineNOP
Path Finder

Everything is Green. Though I did not configure my inputs.conf. I configured my outs.conf instead which is at the file location /opt/splunkforwarder/etc/system/local/inputs.conf.

default
host = bss
[monitor:///var/log/snort/snort.log.*]
sourcetype=snort
index=snort_alert
disabled=false

Would this be the correct way to set up my inputs.conf?

0 Karma

jplumsdaine22
Influencer

Yep the file syntax here should be in your inputs.conf file on the fowarder, /opt/splunkforwarder/etc/system/local/inputs.conf.

0 Karma
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!